Vulnerabilities > CVE-2019-1161 - Unspecified vulnerability in Microsoft products

047910
CVSS 7.1 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
microsoft
nessus

Summary

An elevation of privilege vulnerability exists when the MpSigStub.exe for Defender allows file deletion in arbitrary locations. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted command that could exploit the vulnerability and delete protected files on an affected system once MpSigStub.exe ran again. The update addresses the vulnerability and blocks the arbitrary deletion.

Nessus

NASL familyWindows
NASL idMICROSOFT_DEFENDER_MPSIGSTUB_1_1_16200_1.NASL
descriptionThe version of Microsoft Malware Protection Signature Update Stub (MpSigStub.exe) installed on the remote Windows host is prior to 1.1.16200.1. It is, therefore, affected by a elevation of privilege vulnerability which could allow an attacker who successfully exploited this vulnerability to elevate privileges on the system.
last seen2020-06-01
modified2020-06-02
plugin id127910
published2019-08-16
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/127910
titleMicrosoft Defender Elevation of Privilege Vulnerability (CVE-2019-1161)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(127910);
  script_version("1.3");
  script_cvs_date("Date: 2019/10/17 14:31:05");

  script_cve_id("CVE-2019-1161");
  script_xref(name:"IAVA", value:"2019-A-0294");

  script_name(english:"Microsoft Defender Elevation of Privilege Vulnerability (CVE-2019-1161)");
  script_summary(english:"Checks the MpSigStub.exe version.");

  script_set_attribute(attribute:"synopsis", value:
"An antimalware application installed on the remote host is affected by
an elevation of privilege vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Microsoft Malware Protection Signature Update Stub (MpSigStub.exe) installed on the remote Windows host
is prior to 1.1.16200.1. It is, therefore, affected by a elevation of privilege vulnerability which could allow an
attacker who successfully exploited this vulnerability to elevate privileges on the system.");
  # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1161
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3b8b2fb0");
  script_set_attribute(attribute:"solution", value:
"Enable automatic updates to update the scan engine for the relevant antimalware applications. Refer to Knowledge Base
Article 2510781 for information on how to verify that MMPE has been updated.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1161");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/08/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:windows_defender");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("misc_func.inc");

app = 'Microsoft Malware Protection Signature Update Stub';
winroot = NULL;
mpsigstub_path = NULL;
version = NULL;
fix = "1.1.16200.1";

get_kb_item_or_exit("SMB/Registry/Enumerated");

winroot = hotfix_get_systemroot();
if (!winroot) exit(1, "Failed to get the system root.");

mpsigstub_path =  winroot + "\System32\MpSigStub.exe";

ver = hotfix_get_fversion(path:mpsigstub_path);
if (ver['error'] != HCF_OK) audit(AUDIT_NOT_DETECT, app);

version = join(ver['value'], sep:'.');

if (ver_compare(ver:version, fix:fix) < 0)
{
  report =  '\n  Product           : ' + app;
  report += '\n  Path              : ' + mpsigstub_path;
  report += '\n  Installed version : ' + version;
  report += '\n  Fixed version     : ' + fix;
  report += '\n';

  security_report_v4(port:0, extra:report, severity:SECURITY_WARNING);
}
else audit(AUDIT_INST_VER_NOT_VULN, app, version);